Snyk Security Database

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the handleException function and the sandbox-side globalPromise.prototype.then wrapper in lib/setup-sandbox.js. An attacker can reach host Function and execute arbitrary code by throwing or resolving a sandbox-realm null-prototype object and then assigning a host function such as Buffer.prototype.inspect to a property on the caught/resolved value. The bridge proxy created for that value writes the raw host function back onto the underlying sandbox object, so the original sandbox reference exposes a host function whose .constructor leads to Function('return process')() and full sandbox escape.

Notes: This issue was introduced as part of the mitigation for CVE-2026-44000

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges on page copy. An attacker can gain unauthorized access to restricted page content by copying pages from areas they do not have permission to access into areas where they do have access.

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the processing of JDBC connection URL parameters. An attacker can execute arbitrary code by supplying a crafted connection URL that causes the loading and execution of malicious classes present on the application's classpath.